Introduction
AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.
A very common use case comes to mind where “we have a web application which uses an Elastic Load Balancer (ELB)”. To encrypt traffic between ELB and client, we are going to need a TLS certificate.
AWS Certificate Manager (ACM) is a service that lets you easily and quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals.
ACM requires that you validate the domain i.e. prove, that you control the domain. You can do so using by DNS or email validation.
If you have an existing domain, that’s good, otherwise you can register a domain using AWS service Route 53.
Now, if you have been following along, we already have a domain registered using Route 53 and we also hosted a static website using S3 bucket and created a CloudFront distribution which points to this bucket.
If you are new to these topic, following are links to posts, which will provide you the background information needed to follow along:
- AWS CLI Basics – Part 2 (setup a S3 based static website)
- AWS Route 53 – Basics (Register a Domain)
- AWS CloudFront – Basics (Create a Distribution)
Requirement
We want to use the registered domain (Route 53) to be used with website Distribution (CloudFront) which is pointing to the static website (S3 bucket) with TLS certificate (ACM).
So, with the help of this requirement, we will cover ACM basics as well as bring together all the above mentioned posts together in this exercise. This will help us to practice, how to combine these services to achieve a common requirement. This is mostly the case with all AWS services, you can configure those to build solutions as per the requirements.
TLS certificate using ACM part is new, so lets start with this one.
Request a Certificate
We can request a certificate using ACM web console by clicking a button as shown below:
On the next page:
We’ll go with default selected option for Certificate type (public certificate) as shown below:
On the next page:
(* here is going to making it a wildcard certificate. So, it is going to be valid for any subdomains like www.awsclouddemos.com or info.awsclouddemos.com etc.)
By the way, you can add multiple domain names to a certificate (same rule apply, i.e. that you must validate that you control the DNS records of any domains, you add to certificates).
For validation method, we will go with DNS validation, and at the end of the page click the button to Request the certificate:
and this will bring us to following screen:
Certificate is created and its Pending validation.
Create records in Route 53
We can now click the certificate and can see the details:
As you can see that both domain name entries are there (pending validation).
Because we are using Route 53, we can Create records in Route 53 (by clicking of the button) to verify that we control the domain name(s) and that is very convenient right? Lets click the button and it will show the following screen and we can click Create records button:
Once you click Create records button, it will create CNAME records and the UI will be populated with those values. As you can see that we have CNAME records entries for both domains. However, note that its actually the same CNAME record for both.
We can now click again the Create records in Route 53 by clicking the button as shown above.
That’s all. Now we play the waiting game and refresh to UI to see if the certificates status is updated. Eventually, it will finally tell us that it has validated the domain and will issue our TLS certificate:
So, now we have a certificate for our domain. and next we will see how to use it with CloudFront distribution.
Update CloudFront Distribution with Alternate Domain Name (CNAME)
Now, in this section, we are going to use this certificate with a CloudFront distribution. You can check earlier mentioned posts for how to setup a CF distribution.
Here I edit the distribution and added Alternate domain names as shown below. Then selected the SSL certificate from the dropdown box.
(Note, initially SSL list was empty, it turns out that the certificate must be in the us-east-1 Region. So I created a new certificate following the steps shown earlier, click the refresh button and then selected the certificate)
Save the changes and you can see the distribution is updated with the changes:
Update Route 53 Alias record(s) to point to Cloud Distribution
Next, I updated the DNS entries for Route 53 Record as shown below:
Also, update/create WildCard record:
Here are records for the domain:
Again, these part are covered in previous posts, so I am not going into details here.
Testing the Application
Now, you can test the application that it can reached not only by the top level domain address as well as from any subdomain address (due to wild card record)
Summary
AWS Certificate Manager (ACM) is a service that lets you easily and quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals.
In this post, we learned how to get started with ACM and then create a certificate and use it with CloudFront distribution. We also saw how to create/update Route 53 DNS records t route traffic to CloudFront and end result was that our web application can be reached using an HTTPs protocol using custom domain.
Let me know if you have some comments or questions. Till next time.